Quantum cryptography protocols robust against photon number splitting attacks for 

weak làser pulses implementations 

Valerio Scarani 1 , Antonio Acín 1 , Grégoire Ribordy 2 and Nicolas Gisin 1 
1 Group of Applied Physics, University of Geneva, 20, rue de l'Ecole-de-Médecvne, CH-1211 Geneva 4, Switzerland 
2 Id-Quantique, rue Cingria 10, CH-1205 Geneva, Switzerland 
(February 1, 2008) 

We introduce a new class of quantum quantum key distribution protocols, tailored to be robust 
against photon number splitting (PNS) attacks. We study one of these protocols, which differs from 
the BB84 only in the classical sifting procedure. This protocol is provably better than BB84 against 
PNS attacks at zero error. 
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Quantum cryptography, or morè precisely quantum 
key distribution (QKD) is the only physically secure 
method for the distribution of a secret key between two 
distant partners, Alice and Bob [1]. Its security comes 
from the well-known fact that the measurement of an 
unknown quantum state modifies the state itsclf: thus 
an eavesdopper on the quantum channel, Eve, cannot 
get information on the key without introducing errors in 
the correlations between Alice and Bob. In equivalent 
terms, QKD is secure because of the no-cloning theorem 
of quantum mechanics: Eve cannot duplicate the signal 
and forward a perfect copy to Bob. 

In the last years, several long-distance implementa- 
tions of QKD have been developed, that use photons 
as information carriers and optical fibers as quantum 
channels [1]. Most often, although not always [2], Al- 
ice sends to Bob a weak làser pulse in which she has 
encoded the bit. Each pulse is a priori in a coher- 
ent state \^/pe l6 } of weak intensity, typically p ~ 0.1 
photons. However, since no reference phase is avail- 
able outside Alice's ofïice, Bob and Eve have no infor- 
mation on 0. Consequently, they see the mixed state 
p = J 7^\ v fp,é l8 ){ v /Jle' ie \. This state can be re-written as 
a mixture of Fock states, J2 n Pn \ n ) ( n \ > with the number n 
of photons distributed according to the Poissonian statis- 
tics of mean p, p n = p n (p) = e — ^/i™ jn\. Because two 
realizations of the same density matrix are indistinguish- 
able, QKD with weak pulses can be re-interpreted as fol- 
lows: Alice encodes her bit in one photon with frequency 
Pi , in two photons with frequency pi , and so on, and does 
nothing with frequency pq. Thus, in weak pulses QKD, 
a rathcr important fraction of the non-empty pulses ac- 
tually contain more than one photon. For these pulses, 
Eve is then no longer limited by the no-cloning theorem: 
she can simply keep some of the photons whilc letting the 
others go to Bob. Such an attack is called photon-number 
splitting (PNS) attack. Although PNS attacks are far be- 
yond today's technology [3], if one includes them in the 
security analysis, the consequences are dramàtic [4,5]. 

In this Letter, we present new QKD protocols that 
are secure against PNS attack up to significantly longer 
distances, and that can thus lead to a secure implemen- 
tation of QKD with weak pulses. These protocols are 



better tailored than the ones studied before to exploit 
the correlations that can be established using p. The bà- 
sic idea is that Alice should encode each bit into a pair of 
non-orthogonal states belonging to two or more suitable 
sets. 

The structure of the paper is as follows. First, we re- 
view the PNS attack on the first and best-known QKD 
protocol, the BB84 protocol [6], in order to understand 
why this attack is really devastating when the bit is en- 
coded into pairs of orthogonal states. Then we present 
the benefits of using non-orthogonal states, mostly by fo- 
cusing on a specific new protocol which is a simple mod- 
ification of the BB84. 

PNS attacks on the BB84 protocol. Alice encodes each 
bit in a qubit, either as an eigenstate of o~ x (| + x) coding 
or | — x) coding 1) or as an eigenstate of a z (| + z) cod- 
ing or | — z) coding 1). The qubit is sent to Bob, who 
measures either a x or a z . Then comes a classical proce- 
dure known as "sifting" or " basis- reconciliation" : Alice 
communicates to Bob through a públic classical chan- 
nel the basis, x or z, in which she prepared each qubit. 
When Bob has used the same basis for his measurement, 
he knows that (in the absence of perturbations, and in 
particular in the absence of Eve) he has got the correct 
result. When Bob has used the wrong basis, the partners 
simply discard that item. 

Consider now the implementation of the BB84 proto- 
col with weak pulses. Bob's raw detection rate is the 
probability that he detects a photon per pulse sent by 
Alice. In the absence of Eve, this is given by 



Rraw(S) = ^Pn (1 - (1 



rjdetm) 
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where rjdet is the quantum efhciency of the detector (typ- 
ically 10% at telecom wavelengths), and r/s is attenuation 
due to the losses in the fiber of length i: 



= 10- 5/1 °, 5 = a£[dB] 



(2) 



Below, when we give a distance, we assume the typical 
value a — 0.25 dB/km. The approximate equality in (1) 
is vàlid if r/detVs Pn n << 1 for all n, which is always the 
case in weak pulses QKD. 

If we endow Eve with unlimited technological power 
within the laws of physics, the following PNS attack 
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(storage attack) is in principle possible [4,5]: (I) Eve 
counts the number of photons, using a photon-number 
quantum non-demolition (QND) measurement; (II) she 
blocks the single photon pulses, and for the multi-photon 
pulses she stores one photon in a quantum memory; 
she forwards the remaining photons to Bob using a per- 
fcctly transparent quantum channcl, rjs — 1 [7]; (III) she 
waits until Alice and Bob publicly reveal the used bases 
and correspondingly measures the photons stored in her 
quantum memory: she has to discriminate between two 
orthogonal states, and this can be done deterministically. 
This way, Eve has obtained full information about Alice's 
bits, thence no processing can distill secret keys for the 
legitimate users; moreover, Eve hasn't introduced any 
error on Bob's side. 

The unique constraint on PNS attack is that Eve's 
presence should not be noticed; in particular, Eve must 
ensure that the rate of photons received by Bob (1) is not 
modificd [8]. Thus, the PNS attack can be performed on 
all pulses only when the losses that Bob expeets because 
of the fiber are equal to those introduced by Eve's storing 
and blocking photons, that is, when the attenuation in 
the fiber is larger than a critical value S BB84: defined by 

Rra W (5? m4 ) = £> n (1 - (1 - VdetY 1 - 1 ) * Vdet P 2 • (3) 
n>2 

For n = 0.1, wc find S c BmA = 13 dB, that is £ C BBM sa 
50 km. For shorter distances, Eve can optimize her at- 
tack, but won't be able to obtain full information; Alice 
and Bob can therefore use a privacy amplification scheme 
to retrieve a shorter secret key from their data. In con- 
clusion, for 6 > S C BB84: , the weak-pulses implementation 
of the BB84 protocol becomes in principle insecure, even 
for zero quantum-bit error rate (QBER). 

Encoding in non- orthogonal states. The extreme weak- 
ness of the BB84 protocol against PNS attacks is due to 
the fact that whenever Eve can keep one photon, she gets 
all the information, because after the sifting phase she 
has to discriminate between two eigenstates of a known 
Hermitian operator. Intuition suggests then that the ro- 
bustness against PNS attacks can be increased by using 
protocols that encode the classical bit into pairs of non- 
orthogonal states, that cannot be discriminated deter- 
ministically. We prové that this intuition is correct. 

To fix the ideas, consider the following protocol using 
four states: Alice encodes each bit in the state of a qubit, 
bclonging either to the set A = {|0 a ),|l o )} or to the 
set B = {|0 6 ),|1 6 )}, with |<0 o |l„)| = |(0 6 |1 6 )| = X ¥= 
(Fig. 1, left). In the absence of an eavesdropper, Bob 
can be perfectly correlated with Alice: in fact, although 
the two states are not orthogonal, one can construct a 
generalized measurement that unambiguously discrimi- 
nates between the two. The price to pay is that some- 
times one gets an inconclusive result [9]. Such a mea- 
surement can be realized by a selective filtering, that is a 



filter whosc effect is not the same on all states, followed 
by a von Neumann measurement on the photons that 
pass the filter [10]. In the example of Fig. 1, the filter 
that discriminates between the elements of A is given by 
F A = t=(| +x)(l a ± \ + \ - xXO^I), where |^) is the 
state orthogonal to \i[>). When the photons are prepared 
in a state of the pair A, a fraction 1 — \ of them pass this 
filter, and in this case the von-Neumann measurement of 
o~ x achieves the discrimination. It is then clear how the 
cryptography protocol gcncralizes BB84: Bob randomly 
applics on each qubit one of the two filters Fa or íg , and 
measures a x on the outeome. Later, Alice discloses for 
each bit the set A or B: Alice and Bob discard all the 
items in which Bob has chosen the wrong filter and all 
the inconclusive results. 

Of course, since not all the qubits will pass the filter 
even when it was correctly chosen, there is a small nui- 
sance on Bob's side because the net key rate is decreased. 
This is compensated by increasing \x by a factor 1/(1 — \) ■ 
However, the nuisance is by far bigger on Eve's side, even 
when the increased mean number of photons /i is taken 
into account. We shall give a detailed analysis of the PNS 
attacks below for a specific protocol, but a simple esti- 
mate shows the origin of the improved robustness. Eve 
can obtain full information only when (i) she can block 
all the pulses containing one and two photons, and (ii) on 
the pulses containing three or more photons, she performs 
a suitable unambiguous discrimination measurement (see 
below) and obtains a conclusive outeome, which happens 
only with probability p u < 1. Conscqucntly, the critical 
attenuation is defined by R ra w(5 c ) — VdetP3(jz-^)Pok, 
and is determined by p^ instead of P2 as in the BB84, see 
(3). For typical vàlues, 5 C — S BB84 rj 10 dB, which means 
an improvement of some 40km in the distance [11]. 

A specific protocol. Here is an astonishingly simple 
protocol using four non-orthogonal states. Alice sends 
randomly one of the four states | ± x) or | ± z) ; Bob 
measures either a x or o~ z . Thus, at the "quantum" level, 
the protocol is identical to BB84, and can be immedi- 
ately implemented with the existing devices. However, 
we modify the classical sifting procedure: instead of rc- 
vcaling the basis, Alice announces publicly one of the 
four pairs of non-orthogonal states A u ,u' — 
with to, lú' e {+, — }, and with the convention that | ± x) 
code for and | ± z) code for 1. Within each set, the 
overlap of the two states is x — ^75- Because of the pe- 
culiar choice of states, the usual procedure of choosing 
randomly between a x or er z turns out to implement the 
most cffectivc unambiguous discrimination. For defmite- 
ness, suppose that for a given qubit Alice has sent | + x), 
and that she has announced the set -4+,+. If Bob has 
measured a xi which happens with probability i, he has 
ccrtainly got the result +1; but since this result is possi- 
ble for both states in the set A+ t +, he has to discard it. 
If Bob has measured a z and got +1, again he cannot dis- 
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criminatc. But if he has measured a z and got —1, thcn hc 
knows that Alice has sent | + x) and adds a to his key. 
By symmetry, we see that after this sifting procedure Bob 
is left with j of the raw list of bits, compared to the \ of 
the original BB84 protocol. Thus, for a fair comparison 
with BB84 using /z = 0.1, we shall take here fi — 0.2, so 
that the net key rates without eavesdropper at a given 
distance are the same for both protocols. In spite of the 
fact that a larger \x is used (that is, multi-photon pulscs 
are more freqüent), this new protocol is provably better 
than BB84 against PNS attacks at QBER= 0. This is 
our main claim, and is demonstrated in the following. 

PNS attacks at QBER—0. First, lct us prové some- 
thing that we mentioned above, namely: for protocols 
using four states like the one under study, Eve can ob- 
tain fidl information from three-photon pulscs by using 
strategies based on unambiguous state-discrimination. 
Such strategies have also been considered for BB84, be- 
cause (although worse than the storage attack for an 
all-powerful Eve) they don't require a quantum memory 
[12], and in their simplest implementation the photon- 
number QND measurement is not requircd cither [13]. 
The most powerful of these attacks, against which any 
protocol using four states becomes completcly insecure 
for the three-photon pulses, goes as follows [14]. A pulse 
containing three photons is necessarily in one of the four 
states |*!> = | + zf\ |v]/ 2 ) = | + x)^ 3 , |* 3 > - I - zf\ 
1*4) = | — x)® 3 ; that is, in the symmetric subspace of 3 
qubits. The dimension of this subspace is 4, and it can 
be shown that all the l^k)® 3 are linearly independent 
[15]. Therefore, there exist a measurement M. that dis- 
tinguishes unambiguously among them, with some prob- 
ability of success. In the present case, there exist even 
four orthogonal states of three qubits, |$k), k — 1, ...,4, 
such that | | ) | = Sij [16]. The measurement Al is 
then any von-Neumann measurement discriminating the 
|$fe); it will give a conclusive outeome with probability 
Pok = \-, which is optimal [15,17]. 

It is then clear that Eve can obtain full information 
if she can block all the one- and two-photons pulses and 
half of the three-photon pulses, by applying the follow- 
ing PNS attack: (I) she measures the number of photons; 

(II) she discards all pulses containing less than 3 photons; 

(III) on the pulses containing at least 3 photons, she per- 
forms Ai , and if the result is conclusive (which happens 
with probability p a k > \) she sends a new photon pre- 
pared in the good state to Bob. We refer to this attack 
as to intercept-resend with unambiguous discrimination 
(IRUD) attack. Neither the quantum memory is needed, 
nor is the lossless channel, since the new state can be 
prepared by a friend of Eve located close to Bob. 

The critical attenuation S c at which the IRUD attack 
becomes always possible is defined by rjs c n = p kP?,{p)] 
for fi = 0.2, this gives S c = 25.6 dB w 2<5f B84 . Thus, the 
ultimate limit of robustness (in the case of zero errors) is 



shifted from ~ 50km up to ~ lOOkm by using our simple 
modification of the BB84 protocol. To further increase 
the limit of lOOkm, one can move to protocols using six 
or more non-orthogonal states [17]. 

Figure 2 plots Eve's information for the best PNS at- 
tack at QBER= 0, as a function of the attenuation. Notc 
that the new protocol is better than BB84 at any dis- 
tance. For almost all 5 < S c , the best PNS attack is not 
the IRUD but a storage attack, in which Eve keeps one 
or two photons in a quantum memory and waits for the 
announcements of the sifting phase. Recali that in BB84, 
this kind of attack provides Eve with full information. In 
our protocol Alice announces sets of two non-orthogonal 
states, so storage attacks give Eve only a limited amount 
of information. If Eve keeps n photons and the overlap 
is x (herc, 1/V2), the largest information she can obtain 

is I(n,x) = 1 - H(P, 1 - P) with P = |(1 + v/l-X 2 ™) 
[9]. In particular, Eve obtains 7(1, w 0.4 bits/pulse 
for the attenuation 8\ at which she can always keep one 
photon (8 1 ~ 11 dB for n = 0.2). 

In conclusion: in the limiting case of QBER= 0, our 
protocol is always more secure than BB84 against PNS 
attacks, and can be made provably secure against such 
attacks in regions where BB84 is already provably inse- 
cure. Recali that the comparison is made by fixing the 
net key rates without eavesdropper at a given distance. 

Attacks at QBER>0 on the new protocol. In real ex- 
periments, dark counts in the detectors and misalignc- 
ment of optical elements always introduce some errors. 
It is thcn important to show that the specific protocol 
we presented does not break down if a small amount of 
error on Bob's side is allowed. Several attacks at non- 
zero QBER are described in detail in Ref. [17]. Here, we 
sketch the analysis of two individual attacks. 

First, let us suppose that Eve uses the phase- covariant 
cloning machine that is the optimal individual attack 
against BB84 [18]. In the casc of the present proto- 
col, Eve can extract less information from her cloncs, 
again because Alice does not disclose a basis but a set 
of non-orthogonal states. As a consequence, the condi- 
tion I Bo b = Ievc is fulfillcd up to QBER=15% [17], a 
value which is slightly highcr than the 14,67% obtained 
for BB84. So our new protocol, designed to avoid PNS 
attacks in a weak-pulses implementation, seems to be 
robust also against individual eavesdropping in a singlc- 
photon implementation. Incidcntally note that, in the 
case of a single-photon implementation, our protocol is 
at least as secure as the B92 protocol in the sens of " un- 
conditional security" proofs [19]. This is because our pro- 
tocol can be seen as a modified B92, where Alice chooses 
randomly between four sets of non-orthogonal states [20] . 

The second kind of individual attacks that we like 
to discuss, and that we call PNS+cloning attacks, are 
specific to imperfect sources. Focus on the range S ~ 
10 — 20 dB (see Fig. 2), where one-photon pulses can 
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be blocked and the occurrence of three or more photons 
is still comparatively rare. Because for the BB84 Eve 
has already full information in this range, such attacks 
have never been considered before. Eve could take the 
two photons, apply an asymmetric 2 — > 3 cloning ma- 
chine and send one of the clones to Bob; she keeps two 
clones and some information in the machine. By a suit- 
able choice of the cloning machine, the QBER at which 
Iboò = lEve is lowered down to ~ 9% [17]. In Ref. [21], a 
successful qubit distribution over 67km with /i = 0.2 and 
QBER= 5% has been reported. Under the considered 
PNS attacks, such distribution is provably insecure using 
the sifting procedure of BB84, while it can yield a secret 
key if our sifting procedure is used. 

In summary, we have shown that by encoding a clas- 
sical bit in sets of non-orthogonal qubit states, quan- 
tum cryptography can be made significantly more robust 
against photon-number splitting attacks. We have pre- 
sented a specific protocol, which is identical to the BB84 
protocol for all the manipulations at the quantum level 
and differs only in the classical sifting procedure. Un- 
der the studied attacks, our protocol is secure in a region 
where BB84 is provably insecure. Prcliminary studies of 
more complex attacks suggest that it is at least as ro- 
bust as BB84 in any situation, and could then replace 
it. Moreover, our encoding can easily be combined with 
more complex procedures on the quantum level, e.g. [22]. 
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FIG. 1. Two pairs of non-orthogonal states on the equator 
of the Poincaré sphere, and the efïect of the filter Fa- 
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FIG 2. PNS attacks with QBER=0 on the BB84 proto- 
col for ^ = 0.1 and on the new protocol for fi = 0.2: Eve's 
information as a function of the attenuation S — aJL. 
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